LMA5468A, LMA5469A and LMA5470A: Amended Cyber and Data endorsements for Liability policies

Background

While LMA5469A was issued in October 2022, LMA5468A and LMA5470A were issued on 15 March 2023 (beware the Ides of March!). Since LMA5468A, LMA5469A and LMA5470A are similar to their LMA5468, LMA5469 and LMA5470 predecessors, I recommend reading the analysis of those endorsements separately since I have chosen not to reproduce it here.

In LMA Bulletin LMA22-034-SD, the LMA stated that the changes to LMA5469 made for LMA5469A were ‘to clarify that the limited write-back of cover to the exclusion is subject to all the terms, conditions and exclusions of the policy (and any attached endorsements)’. This statement, however, does not tell the full story since the changes amount to more than a ‘clarification’.

Changing how LMA5468A, LMA5469A and LMA5470A operate

For each of LMA5468A, LMA5469A and LMA5470A, the primacy clauses of their predecessors have been deleted:

‘This endorsement supersedes any other wording in the Policy or any endorsement thereto having a bearing on a Cyber Act, Cyber Incident or Data, and, if in conflict with such wording, replaces it’.

This change should be considered in conjunction with the change to the preamble for the exceptions in paragraph 2:

‘Subject to all the terms, conditions and exclusions contained in this Policy or any endorsement thereto…’

Taken together, these changes are significant because they mean that other exclusions in the policy or attached to the policy – including those relating to cyber or data risks – could operate alongside those of LMA5468A, LMA5469A or LMA5470A. And if any exclusion in the policy applies to an insured’s claim, the claim is excluded. As such, these changes increase the likelihood that an insured’s claim will be excluded.

Rather than ‘clarifying’ how the LMA5468A, LMA5469A or LMA5470A apply, it would be more accurate to say that the exceptions to the exclusions in the amended versions operate differently because they are also subject to the underlying policy’s other exclusions.

Other changes

Other changes introduced in LMA5468A, LMA5469A or LMA5470A are as follows:

  1. For LMA5469A and LMA5470A, the exceptions to the exclusions now appear in paragraph 2 (i.e. immediately after the exclusions of paragraph 1); and,
  2. The definition paragraphs are not numbered. As a result, the definition of ‘Cyber Incident’ has sub-clauses (a) and (b), which is inconsistent with the other sub-clauses of the wording which are numbered 1.1, 1.2, 2.1 and 2.2.

Summary of LMA5468A, LMA5469A and LMA5470A

Exclusion LMA5468A LMA5469A LMA5470A
Cyber Act: loss or damage in connection with unauthorised, malicious or criminal act involving access to or use of an electronic device Excluded Excluded Excluded
Cyber Incident #1: loss or damage in connection with error or omission involving access to or use of an electronic device Excluded Excluded Excluded
Cyber Incident #2: loss or damage in connection with the unavailability or failure to access or use an electronic device Excluded Excluded Excluded
Any action taken in controlling, preventing, suppressing or remediating any Cyber Act or Cyber Incident Excluded Excluded Excluded
Loss of use or reduction in functionality of Data Excluded Excluded Excluded
Repair, replacement, restoration, reproduction of Data Excluded Excluded Excluded
Loss or theft of Data Excluded Excluded Excluded
Value of Data Excluded Excluded Excluded
Exceptions
If arising out of a Cyber Incident, exceptions for: 1) third party bodily injury; and 2) physical damage to or destruction of third party property. No such exception Excepted Excepted
If arising out of a Cyber Act, exceptions for: 1) third party bodily injury; and 2) physical damage to or destruction of third party property. No such exception No such exception Excepted

LMA5468, LMA5469 and LMA5470: Cyber and Data endorsements for Liability policies

Background

LMA5468, LMA5469 and LMA5470 are Cyber and Data Exclusion Endorsements for Liability policies that were released by the LMA in November 2020.

At their broadest, LMA5468, LMA5469 and LMA5470 all exclude liability ‘in connection with’:

  1. any Cyber Act;
  2. any Cyber Incident;
  3. any action taken in controlling, preventing, suppressing or remediating any Cyber Act or Cyber Incident;
  4. any loss of use or reduction in functionality of any Data;
  5. any repair, replacement, restoration, reproduction of any Data;
  6. any loss or theft of any Data; or
  7. any amount pertaining to the value of such Data.

Where the exclusions differ, however, is in their exceptions: LMA5468 has none, LMA5469 has an exception for Cyber Incidents, and LMA5470 has exceptions for both Cyber Incidents and Cyber Acts.

Exclusion LMA5468 LMA5469 LMA5470
Cyber Act: loss or damage in connection with unauthorised, malicious or criminal act involving access to or use of an electronic device Excluded Excluded Excluded
Cyber Incident #1: loss or damage in connection with error or omission involving access to or use of an electronic device Excluded Excluded Excluded
Cyber Incident #2: loss or damage in connection with the unavailability or failure to access or use an electronic device Excluded Excluded Excluded
Any action taken in controlling, preventing, suppressing or remediating any Cyber Act or Cyber Incident Excluded Excluded Excluded
Loss of use or reduction in functionality of Data Excluded Excluded Excluded
Repair, replacement, restoration, reproduction of Data Excluded Excluded Excluded
Loss or theft of Data Excluded Excluded Excluded
Value of Data Excluded Excluded Excluded
Exceptions
If arising out of a Cyber Incident, exceptions for: 1) third party bodily injury; and 2) physical damage to or destruction of third party property. No such exception Excepted Excepted
If arising out of a Cyber Act, exceptions for: 1) third party bodily injury; and 2) physical damage to or destruction of third party property. No such exception No such exception Excepted

Overview of the definitions

As noted elsewhere on insurance-endorsements.com, the definitions of Cyber Act, Cyber Incident, Computer System and Data are problematic. For example,

  1. Cyber Act means ‘an unauthorised, malicious or criminal act or series of related unauthorised, malicious or criminal acts, regardless of time and place, or the threat or hoax thereof involving access to, processing of, use of or operation of any Computer System.’ In this definition, it is unclear how ‘unauthorised’ should be interpreted. Is it from the perspective of the insured? If an act has not been authorised, does that mean it is unauthorised? If an employee unintentionally exceeds their authority, is that unauthorised? If an authorised employee commits an act that violates a policy, does that make it unauthorised? These questions could have been avoided if the LMA had sought to define a ‘Cyber Act’ in terms of actual cyber threats rather than generalities.
  2. Cyber Incident has two limbs:
    1. an error or omission involving access, processing, use or operation of a Computer System. For this limb, it appears that the errors or omissions could be by the insured or a third party. But it is appropriate to consider: where is the cyber risk here? Separately, the second limb of ‘Cyber Incident’ is concerned with the outcome rather than the cause – this makes the Cyber Incident exclusion very broad and means that it could exclude liability in the absence of an actual cyber risk; and
    2. any unavailability (whether partial or total) or failure to access, process, use or operate (whether partial or total) any Computer System.
  3. The definition of Computer System includes ‘any electronic device’. While the concept of a computer system has undoubtedly changed over time, not every electronic device is a computer system. In this respect, the LMA’s definition of Computer System over-reaches;
  4. Data means information, facts, concepts, code or any other information of any kind that is recorded or transmitted in a form to be used, accessed, processed, transmitted or stored by a Computer System [emphasis added]. Since physical documents could be scanned, photocopied or faxed, such documents could be ‘Data’. It would be more appropriate if Data were re-defined such that it was limited to electronic data (perhaps even using ‘electronic data’ without definition) and did not extend to physical documents.

Re-thinking the Data exclusions

Paragraph 1.2 of LMA5468, LMA5469 and LMA5470 contains the ‘Data’ exclusions, excluding liability in connection with any:

1.2 loss of use, reduction in functionality, repair, replacement, restoration, reproduction, loss or theft of any Data, including any amount pertaining to the value of such Data;

Paragraph 1.2 is problematic because it puts separate exclusions into a single clause and seems to confuse what could be termed ‘circumstance’ and ‘property’ exclusions. Consider if paragraph 1 of LMA5468, LMA5469 and LMA5470 were amended to the following:

1. Notwithstanding any provision to the contrary within this Policy or any endorsement thereto –

1.1 this Policy does not apply to any loss, damage, liability, claim, fines, penalties, cost or expense of whatsoever nature directly or indirectly caused by, contributed to by, resulting from, arising out of or in connection with:

1.1.1 any Cyber Act or Cyber Incident; or

1.1.2 any action taken in controlling, preventing, suppressing or remediating any Cyber Act or Cyber Incident; or

1.1.3 any loss of use or reduction in functionality of Data,

regardless of any other cause or event contributing concurrently or in any other sequence thereto unless subject to the provisions of paragraph 5 [note: subjectivity only appropriate for LMA5469 and LMA5470];

1.2 this Policy excludes any loss, damage, liability, claim, fines, penalties, cost or expense of whatsoever nature for any:

1.2.1 repair, replacement or restoration of Data; [note: deleted ‘reproduction’]

1.2.2 loss or theft of Data; or

1.2.3 amount pertaining to the value of Data.

The exclusions in paragraphs 1.2.1, 1.2.2 and 1.2.3, above, are concerned with Data as property and not circumstances within a broader chain of causation. Note, also, that the word ‘reproduction’ has been intentionally omitted from sub-clause 1.2.1 – the term ‘reproduction’ is problematic because it could apply to a third party that is distributing the Data and this is inconsistent with the other terms in that sub-clause.

The exceptions of LMA5469 and LMA5470

While LMA5468 does not have any exceptions to its exclusions, LMA5469 and LMA5470 do. Specifically,

  • LMA5469 has exceptions for ‘ensuing third party bodily injury’ or ‘ensuing physical damage to or destruction of third party property’ arising from a Cyber Incident; while,
  • LMA5470 has exceptions for ‘ensuing third party bodily injury’ or ‘ensuing physical damage to or destruction of third party property’ arising from a Cyber Incident or Cyber Act.

However, these exceptions may not be effective if the Data exclusions in paragraph 1.2 were enlivened. This is why the ‘Data’ exclusions should be amended, potentially as proposed above.

In determining the scope of the LMA5469 and LMA5470 exceptions, it is important to consider the cover provided by the underlying policy. In Australia, many General Liability (GL) or Public and Product Liability (PPL) policies indemnify the insured for its liability to pay compensation for:

  1. ‘injury’, which may include bodily injury, mental injury, invasion of privacy, defamation and discrimination; and
  2. ‘property damage’, which may include both a) damage to tangible property (including loss of use therefrom) and b) loss of use of tangible property which arises out of damage to other tangible property.

In comparing the exceptions in LMA5469 and LMA5470 with these definitions, it is apparent that:

  1. ‘bodily injury’ in the exceptions of LMA5469 and LMA5470 is narrower than ‘injury’ in many General Liability policies, such that mental injury, invasion of privacy, defamation and discrimination remain excluded; and
  2. ‘damage to or destruction of tangible third party property’ in the exceptions of LMA5469 and LMA5470 is narrower than ‘property damage’ in many General Liability policies since there is no allowance for ‘loss of use’ of property.

Other features of LMA5468, LMA5469 and LMA5470

Other features of LMA5468, LMA5469 and LMA5470 are as follows –

  1. Paragraph 2: a ‘reading down’ clause whereby, if any portion is invalid or unenforceable, the remainder shall apply in full force and effect (or, in the words of the endorsement, ‘the remainder shall remain…’);
  2. Paragraph 3: a ‘primacy clause’ whereby the endorsement supersedes or replaces any other clauses in the policy regarding Cyber Acts, Cyber Incidents or Data. Note, however, that this clause is deleted from LMA5468A, LMA5469A and LMA5470A;
  3. Paragraph 4: reverses the onus of proof such that, if the insurer alleges that the endorsement excludes ‘loss sustained by the Insured’, then the insured has the burden of proving otherwise. Here, it is appropriate to consider:
    1. what would be required for an insurer to ‘allege’ that the exclusion applies? The endorsement is silent on this; and
    2. what justifies reversing the onus of proof? Parties to an insurance contract may specify who bears the onus of proving a particular fact, even if this involves reversing the onus of proof: see Levy v Assicurazione Generali [1940] AC 791. However, reversing the onus of proof is contrary to the interests of insureds and conflicts with the traditional position whereby the insurer must prove that an exclusion applies. Given the resources and expertise of insurance companies, it is difficult to see how reversing the burden of proof could lead to more equitable outcomes.

Separately, it is unusual that paragraph 4 only uses the term ‘loss’ when paragraph 1 uses the terms ‘loss’, ‘damage’, ‘liability’, ‘claim’, ‘fines’, ‘penalties’, ‘cost’ and ‘expense’. While the intention of the clause is almost certainly to exclude all of these, the endorsement itself is not so explicit.

Please note that LMA5468, LMA5469 and LMA5470 have since been replaced by LMA5468A, LMA5469A and LMA5470A. The analysis in this article, however, is relevant to those updated endorsements.